Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
540
Views
0
Helpful
4
Replies

Site to site VPN DMZ access control

cweiner
Level 1
Level 1

‎09-28-2007 03:09 PM - edited ‎02-21-2020 03:17 PM

I?m getting ready to shutdown and MPLS circuit and cut over to a site to site VPN. The tunnel will be between two PIX?s running 6.3.x. Once I disable sysopt connection permit-ipsec on both firewalls and modify the incoming access-list, users from Site A can access all the segments at Site B and vice versa. The issue that I can see happening is with one of the segments at Site B that is a DMZ

How can I setup ?one way? access to the DMZ so that LAN segments can initiate connections to the DMZ but hosts in the DMZ cannot initiate connect into the LAN over the site to site VPN. Would I do it with an access list on the DMZ interface?

-Colin

Labels:
0 Helpful
4 Replies 4

acomiskey
Level 10
Level 10

‎09-28-2007 03:32 PM

There would be several ways to accomplish this. Just create an access list on the dmz you want to restrict denying the access to the remote networks.

access-list dmz deny ip any

access-list dmz deny ip any

access-list dmz permit ip any any

access-list dmz in interface dmz

0 Helpful

cweiner
Level 1
Level 1
In response to acomiskey

‎09-28-2007 03:41 PM

Acomiskey

So this would still allow hosts at Site A to initiate connections with hosts in the DMZ at Site B over the VPN tunnel and traffic would be able to flow but at the same time, hosts in the DMZ would not be able to initiate connections with the LAN at Site A?

The reason I ask is because I think I tried this and it caused no traffic to be allowed at all but I could be mistaken.

Thanks

Colin

0 Helpful

acomiskey
Level 10
Level 10
In response to cweiner

‎09-28-2007 05:17 PM

Colin,

That is correct. It's no different than any other access list. As long as you allow it in the outside access list you will be good to go.

0 Helpful

cweiner
Level 1
Level 1
In response to acomiskey

‎10-01-2007 02:40 PM

I removed the sysopt connection permit-ipsec and set the ACLs to allow VPN traffic. The VPN works fine but hosts in the DMZ could initiate connections to the remote LAN over the VPN. I entered the deny statement for the DMZ interface:

access-list dmz deny ip any 1.1.1.0 255.255.255.0

access-list dmz permit ip any any

access-list dmz in interface dmz

Once I did that, no traffic could flow to or from the DMZ. What am I missing?

Thanks

Colin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents